AWS Security Blog

What’s New in AWS Key Management Service: AWS CloudFormation Support and Integration with More AWS Services

November 1, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info.


We’re happy to make two announcements about what’s new in AWS Key Management Service (KMS).

First, AWS CloudFormation has added a template for KMS that lets you quickly create AWS KMS keys (KMS keys) and set their properties. Starting today, you can use the AWS::KMS::Key resource to create a KMS key in KMS. To get started, you can use AWS CloudFormation Designer to drag-and-drop a KMS key resource type into your template, as shown in the following image.

Image of dragging a KMS key resource type into a CloudFormation Designer template

To learn more about using KMS with CloudFormation, see the “AWS::KMS::Key” section of the AWS CloudFormation User Guide.

Second, AWS Import/Export Snowball, AWS CloudTrail, Amazon SES, Amazon WorkSpaces, and Amazon Kinesis Firehose now support encryption of data within those services using keys in KMS. As with other KMS-integrated services, you can use CloudTrail to audit the use of your KMS key to encrypt or decrypt your data in SES, Amazon WorkSpaces, CloudTrail, Import/Export Snowball, and Amazon Kinesis Firehose. To see the complete list of AWS services integrated with KMS, see KMS Product Details. For more details about how these services encrypt your data with KMS, see the How AWS Services Use AWS KMS documentation pages.

If you have questions or comments, please add them in the “Comments” section below or on the KMS forum.

– Sree